Try to specify minimal pipeline permissions

J12934 · Reet00 · commit a7ea1a330409 · 2025-08-25T14:26:51.000+02:00
Signed-off-by: Jannik Hollenbach &lt;jannik.hollenbach@iteratec.com&gt;
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -10,6 +10,9 @@ on:
       - v[0-9]+.x
   pull_request:
 
+permissions:
+  contents: read
+
 # The CI runs on ubuntu-24.04; More info about the installed software is found here:
 # https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md
 
diff --git a/.github/workflows/documentation-roulette.yaml b/.github/workflows/documentation-roulette.yaml
@@ -9,6 +9,10 @@ on:
   schedule:
     - cron: "0 12 15 * *" # At 12:00 UTC on day-of-month 15
 
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   docu-roulette:
     permissions:
diff --git a/.github/workflows/helm-charts-release-ghcr.yaml b/.github/workflows/helm-charts-release-ghcr.yaml
@@ -7,16 +7,18 @@ on:
     types: [published]
 
 name: "Publish Helm Charts to GHCR"
+
+permissions:
+  contents: read
+  packages: write
+
 env:
   CONTAINER_REGISTRY: ghcr.io/securecodebox
   HELM_VERSION: "v3.12.2"
 jobs:
   GHCR-Helm-Release:
     name: "Publish Helm Charts to GHCR"
     runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-      packages: write
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
diff --git a/.github/workflows/helm-charts-release.yaml b/.github/workflows/helm-charts-release.yaml
@@ -9,6 +9,10 @@ on:
   release:
     types: [published]
 name: "Publish Helm Charts"
+
+permissions:
+  contents: read
+
 jobs:
   helm:
     name: Package and Publish
diff --git a/.github/workflows/helm-docs.yaml b/.github/workflows/helm-docs.yaml
@@ -11,6 +11,10 @@ on:
   push:
     branches:
       - main
+
+permissions:
+  contents: write
+
 jobs:
   helm-docs:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/license-check.yaml b/.github/workflows/license-check.yaml
@@ -10,6 +10,9 @@ on:
       - v[0-9]+.x
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   license-check:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
@@ -16,6 +16,9 @@ on:
   pull_request:
     branches: [master, main]
 
+permissions:
+  contents: read
+
 env: # Comment env block if you do not want to apply fixes
   # Apply linter fixes configuration
   APPLY_FIXES: none # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool)
diff --git a/.github/workflows/move-bot-pr-to-review.yaml b/.github/workflows/move-bot-pr-to-review.yaml
@@ -9,6 +9,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   move-bot-pr-to-review:   
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/release-build.yaml b/.github/workflows/release-build.yaml
@@ -10,6 +10,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 env:
   # ---- Docker Namespace ----
 
diff --git a/.github/workflows/scb-bot.yaml b/.github/workflows/scb-bot.yaml
@@ -18,6 +18,11 @@ name: Check outdated scanners
 on:
   schedule:
     - cron: "15 9 * * *" # Daily at 9:15 (avoids the beginning of the hour congestion)
+
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   version-compare:
     runs-on: ubuntu-24.04
